Page 1 of 2 12 LastLast
Results 1 to 15 of 22
  1. #1
    Join Date
    Jul 2004
    Posts
    306

    Unanswered: Weird authentication problem

    UDB 9.7 FP4
    SLES 10

    The test user is valid and can login to the linux box.

    I create a DB
    I grant the user dbadm
    User gets password failure - the password is DEFINITELY correct, and the user is valid and working....

    Code:
     db2 create database test_con using codeset UTF-8 territory us
    DB20000I  The CREATE DATABASE command completed successfully.
    db2inst1@udb21:~> db2 connect to test_con
    
       Database Connection Information
    
     Database server        = DB2/LINUXX8664 9.7.4
     SQL authorization ID   = DB2INSSI
     Local database alias   = TEST_CON
    
    db2inst1@udb21:~> db2 grant dbadm on database to user testusr01
    DB20000I  The SQL command completed successfully.
    db2inst1@udb21:~> db2 connect to test_con user testusr01
    Enter current password for testusr01: 
    SQL30082N  Security processing failed with reason "24" ("USERNAME AND/OR 
    PASSWORD INVALID").  SQLSTATE=08001
    db2inst1@udb21:~> id testusr01
    uid=19958(testusr01) gid=100(users) groups=100(users),841(svr_udb21_access),842(svr_udb21_wheel),55009(ops),50002(db2inst),19836(dba)
    What am I missing?

  2. #2
    Join Date
    Jul 2004
    Posts
    306
    Further info:

    I can connect to the DB with a local user which has been in place for some time

    db2 connect to test_con user extn
    Enter current password for extn:

    Database Connection Information

    Database server = DB2/LINUXX8664 9.7.4
    SQL authorization ID = EXTN
    Local database alias = TEST_CON
    and I can connect implicitly as testusr01

    testusr01@udb21:~> db2 connect to test_con

    Database Connection Information

    Database server = DB2/LINUXX8664 9.7.4
    SQL authorization ID = TESTUSR01
    Local database alias = TEST_CON
    But explicit connection fails :/

    testusr01@udb21:~>db2 connect to test_con user testusr01
    Enter current password for testusr01:
    SQL30082N Security processing failed with reason "24" ("USERNAME AND/OR
    PASSWORD INVALID"). SQLSTATE=08001
    What the?

  3. #3
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Does the password for testusr01 contain any punctuation marks or non-ASCII characters? Is it longer than 8 characters?

  4. #4
    Join Date
    Jul 2004
    Posts
    306
    it has upper and lower case characters and a -
    I've also tried a local user with only lowercase but that was more than 8 long.

    I'll try a lowercase & numeric only less than 8

  5. #5
    Join Date
    Jul 2004
    Posts
    306
    Quote Originally Posted by n_i View Post
    Does the password for testusr01 contain any punctuation marks or non-ASCII characters? Is it longer than 8 characters?
    Nope tried it with a 7 character alpha-num lower case... same

  6. #6
    Join Date
    Apr 2012
    Posts
    1,035
    Provided Answers: 18
    What is AUTHENTICATION dbm cfg setting?
    What is the output of db2set -all ?

  7. #7
    Join Date
    Jul 2004
    Posts
    306
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
    Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
    Database manager authentication (AUTHENTICATION) = SERVER
    Alternate authentication (ALTERNATE_AUTH_ENC) = NOT_SPECIFIED
    Cataloging allowed without authority (CATALOG_NOAUTH) = NO
    Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
    Bypass federated authentication (FED_NOAUTH) = NO

    [i] DB2_PMODEL_SETTINGS=MAX_BACKGROUND_SYSAPPS:500
    [i] DB2_INLIST_TO_NLJN=YES
    [i] DB2_EVALUNCOMMITTED=YES
    [i] AUTOSTART=YES
    [i] DB2_RR_TO_RS=YES
    [i] DB2COMM=tcpip
    [g] DB2SYSTEM=udb21
    [g] DB2ADMINSERVER=dasusr

  8. #8
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,369
    Can you use a user ID with more than 8 char?


    User IDs on Linux and UNIX operating systems can contain up to 8 characters.
    IBM DB2 9.7 Information Center for Linux, UNIX, and Windows


    What's logged in the db2diag.log?

  9. #9
    Join Date
    Jul 2004
    Posts
    306
    Oh I've obfuscated the real users etc.
    It's a problem for users less than 8 characters

    The diaglog just shows authentication failures with the password.

  10. #10
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,369
    We recently had a problem with some user ID's not being able to connect when supplying the password. It had something to do with password encryption, the encrypted password stored in /etc/shadow was too long. I could connect without specifying the password. I think the RC was 15, not 24 (this was v9.1) but still check what's in shadow. The diag.log should have rc=-<value>. Do "db2diag -rc <value>" to check it.

  11. #11
    Join Date
    Jul 2004
    Posts
    306
    2012-06-14-12.49.32.223255+600 I5547964E446 LEVEL: Warning
    PID : 4742 TID : 47592775870784PROC : db2sysc
    INSTANCE: db2dev NODE : 000 DB : TEST_CON
    APPHDL : 0-32819
    EDUID : 543 EDUNAME: db2agent (TEST_CON)
    FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
    DATA #1 : String with size, 66 bytes
    Password validation for user test076 failed with rc = -2146500507

    db2diag -rc -2146500507

    Input ZRC string '-2146500507' parsed as 0x800F0065 (-2146500507).

    ZRC value to map: 0x800F0065 (-2146500507)
    V7 Equivalent ZRC value: 0xFFFF8665 (-31131)

    ZRC class :
    SQL Error, User Error,... (Class Index: 0)
    Component:
    SQLO ; oper system services (Component Index: 15)
    Reason Code:
    101 (0x0065)

    Identifer:
    SQLO_BAD_PSW
    Identifer (without component):
    SQLZ_RC_BADPSW

    Description:
    The password is not valid for the specified userid

    Associated information:
    Sqlcode -30082
    SQL30082N Security processing failed with reason "" ("").

    Number of sqlca tokens : 2
    Diaglog message number: 8111

    2012-06-14-12.49.32.224521+600 I5549792E687 LEVEL: Info
    PID : 2566 TID : 47119528585056PROC : db2bp
    INSTANCE: db2d NODE : 000
    FUNCTION: DB2 UDB, oper system services, sqlofica, probe:10
    DATA #1 : SQLCA, PD_DB2_TYPE_SQLCA, 136 bytes
    sqlcaid : SQLCA sqlcabc: 136 sqlcode: -30082 sqlerrml: 36
    sqlerrmc: 24 USERNAME AND/OR PASSWORD INVALID
    sqlerrp : SQLEXSMC
    sqlerrd : (1) 0x80370125 (2) 0x00000125 (3) 0x00000000
    (4) 0x00000000 (5) 0x00000000 (6) 0x00000000
    sqlwarn : (1) (2) (3) (4) (5) (6)
    (7) (8) (9) (10) (11)
    sqlstate: 08001

  12. #12
    Join Date
    Jul 2004
    Posts
    306
    Quote Originally Posted by db2girl View Post
    We recently had a problem with some user ID's not being able to connect when supplying the password. It had something to do with password encryption, the encrypted password stored in /etc/shadow was too long. I could connect without specifying the password. I think the RC was 15, not 24 (this was v9.1) but still check what's in shadow. The diag.log should have rc=-<value>. Do "db2diag -rc <value>" to check it.
    Oh and I don't think it's the shadow. I get the problem with a local user AND with an eDirectory user, which doesn't have an entry in the shadow file.

  13. #13
    Join Date
    Apr 2012
    Posts
    1,035
    Provided Answers: 18
    I suspect that the problem is connected with the eDirectory and DB2 config(eDirectory is Novell's LDAP solution I believe).
    I've seen issues like this where users defined locally were also defined in the LDAP database but with slightly different attributes. The operating system login used local authentication (successfully) but DB2 used LDAP authentication (and failed due to inconsistent information between local and LDAP user).
    Might be worthwhile double-checking all the assumptions ...and also tracing what's happening in the LDAP side.

  14. #14
    Join Date
    Jul 2004
    Posts
    306
    Quote Originally Posted by db2mor View Post
    I suspect that the problem is connected with the eDirectory and DB2 config(eDirectory is Novell's LDAP solution I believe).
    I've seen issues like this where users defined locally were also defined in the LDAP database but with slightly different attributes. The operating system login used local authentication (successfully) but DB2 used LDAP authentication (and failed due to inconsistent information between local and LDAP user).
    Might be worthwhile double-checking all the assumptions ...and also tracing what's happening in the LDAP side.
    Yea I also believe that to be the area of the problem but I've tried:
    An eDirectory only user - Failure
    An eDirectory user ALSO with a local account - Failure
    A older local only user - success
    A new local only user same ID properties and groups etc - failure

    Yea we've got the OS/Networking guys looking at that side of it... they see very little coming from DB2 in the logs thus far... I've got a PMR open too...

  15. #15
    Join Date
    Jul 2004
    Posts
    306
    No reply from IBM on the PMR since lunchtime Thur :/

    Anyone here got any other ideas?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •